Recall of Medtronic Insulin Pumps Because of Cybersecurity Vulnerabilities

Alerts regarding the cybersecurity vulnerabilities discovered in several Medtronic insulin pumps were released by the United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA).

The vulnerable insulin pumps connect to other medical devices, for instance, blood glucose meters, CareLink USB devices, and glucose sensor transmitters via wireless RF. Vulnerabilities were identified in several MiniMed Paradigm and MiniMed 508 insulin pumps. Should an attacker have adjacent access to a vulnerable device, he could intercept, alter, or interfere with the RF communications to and from the device.

Because of this, it is possible to read data transmitted to and from the device, alter the insulin pump configurations, and control insulin delivery. This could potentially lead to diabetic ketoacidosis, hypoglycemia or death.

The FDA deputy director of strategic partnerships and technology innovation, Suzanne Schwartz, talked of a substantial risk of patient harm when the vulnerability is not resolved. At this time, the vulnerability has not been exploited yet.

Though the available mitigations could help reduce the risk of exploitation, Medtronic was unable to develop a patch or a software update to fix the vulnerability. Thus, Medtronic opted to recall vulnerable insulin pumps and give new devices having better cybersecurity protections.

Medtronic said that around 4,000 patients in America use vulnerable insulin pumps. It is recommended for patients to contact their care providers right away to acquire their insulin pump replacement.